Information Security Risk Assessment Methodology



Similar documents
A Practical Guide to Conducting an Enterprise-wide Information Security Risk Assessment

UF IT Risk Assessment Standard

Risk Management Guide for Information Technology Systems. NIST SP Overview

NIST National Institute of Standards and Technology

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

Software that provides secure access to technology, everywhere.

Information Technology Security Review April 16, 2012

Mobile Deposit Policy

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Ohio Supercomputer Center

HIPAA Security Risk Analysis and Risk Management Methodology with Step-by-Step Instructions

NATIONAL CYBER SECURITY AWARENESS MONTH

Data Security Incident Response Plan. [Insert Organization Name]

Attachment A. Identification of Risks/Cybersecurity Governance

CYBERSECURITY TESTING & CERTIFICATION SERVICE TERMS

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Network & Information Security Policy

NCUA LETTER TO CREDIT UNIONS

Information Technology

Enterprise Risk Management Process Improvement. Secure Banking Solutions, LLC

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

RISK ASSESSMENT GUIDELINES

Guidance on data security breach management

Remote Access and Network Security Statement For Apple

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

IBM Global Small and Medium Business. Keep Your IT Infrastructure and Assets Secure

Chapter 6: Fundamental Cloud Security

A Decision Maker s Guide to Securing an IT Infrastructure

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

Pursuing Compliance with the FFIEC Guidance Risk Assessment 101 KPMG RISK ADVISORY SERVICES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

OCIE CYBERSECURITY INITIATIVE

Office of Inspector General

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Chapter 1: Introduction

Network Security: Policies and Guidelines for Effective Network Management

PCI Compliance. Top 10 Questions & Answers

Evaluation Report. Office of Inspector General

Guidance on data security breach management

Sound Business Practices for Businesses to Mitigate Corporate Account Takeover

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

Can Your Diocese Afford to Fail a HIPAA Audit?

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Enterprise Risk Management taking on new dimensions

An ICS Whitepaper Choosing the Right Security Assessment

Data Security Breach Management - A Guide

5.5. Penetration Tests. Report of the Auditor General of the Ville de Montréal to the City Council and to the Urban Agglomeration Council

Five PCI Security Deficiencies of Restaurants

Pass-the-Hash. Solution Brief

TABLE OF CONTENTS INTRODUCTION... 1

OCC BULLETIN OCC Purpose. Summary of Key Points. Administrator of National Banks. Subject: Technology Risk Management: PC Banking

PCI Compliance Top 10 Questions and Answers

Cloud Computing: Risks and Auditing

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

Customer-Facing Information Security Policy

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Information Security Awareness Training

Risk Assessment Guide

Top Ten Technology Risks Facing Colleges and Universities

External Supplier Control Requirements

WHITE PAPER: MASSACHUSETTS DATA SECURITY REGULATIONS

7 Steps to Protect Your Company from a Data Breach

How to complete the Secure Internet Site Declaration (SISD) form

Payment Card Crime Hotels Face Great Security Risks

Data Loss Prevention Program

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

THREATS AND VULNERABILITIES FOR C 4 I IN COMMERCIAL TELECOMMUNICATIONS: A PARADIGM FOR MITIGATION

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Smithsonian Enterprises

NCUA LETTER TO CREDIT UNIONS

Information Security for Managers

Business Continuity and Capacity Building

Global ediscovery Client Data Security. Managed technology for the global legal profession

Application Security in the Software Development Lifecycle

DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two)

Why Is Compliance with PCI DSS Important?

G-Cloud Definition of Services Security Penetration Testing

Interim Threat / Risk Assessment. Student E- Communications Outsourcing Project

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

The Impact of Wireless LAN Technology on Compliance to the PCI Data Security Standard

Jim Bray, Cyber Security Adviser InfoSight, Inc.

Securing Remote Vendor Access with Privileged Account Security

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Five PCI Security Deficiencies of Retail Merchants and Restaurants

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

Canadian Access Federation: Trust Assertion Document (TAD)

THE OFFICE OF THE NATIONAL COORDINATOR FOR HEALTH INFORMATION TECHNOLOGY S OVERSIGHT OF THE TESTING

NCUA LETTER TO CREDIT UNIONS NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA 22314

Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

IDENTITY SOLUTIONS: Security Beyond the Perimeter

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

Building Secure Multi-Factor Authentication

Remote Deposit Quick Start Guide

Transcription:

Information Security Risk Assessment Methodology An Information security risk assessment should take into account system-level risk (inclusive of applications and systems) and process-level risk (inclusive of the components of an information security program). Once the risk rating is established for each application and each component of the system, the dimension(s) of risk should be assigned to each. The minimum dimensions of risk should include the following: Compliance risk. Maintaining legal compliance with various appropriate regulations as well as compliance with the organization s various governance guidelines and policies. Transaction/Financial risk. Impacting earnings, cash flow, revenue or capital due to problems with or interruptions in service or product delivery. Operational risk. The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Reputational risk. Developing and retaining marketplace confidence in handling customers financial transactions in an appropriate manner, within an acceptable time frame, as well as meeting the emerging needs of the customer base and community, which are important to protecting the safety and soundness of the Institution. More than one dimension of risk can apply to an application or process. For example, the lack of a vendor management program can result in Operational and Compliance Risk. It could also potentially result in Reputational risk if the vendor is breached and Financial/Transaction Risk if the service that the vendor provides is interrupted for a significant amount of time and prohibits the bank from account generating revenue (account opening, loan products, wire transfers, etc.) System-level Risk Definitions Technologies identified as having high levels of aggregate risk typically require immediate attention while those with moderate or low aggregate risk require continued execution of current risk management practices. Threat Index is based on the threats and vulnerabilities facing the system. A threat does not present a risk when there is no vulnerability that can be exercised (think of a standalone system used for a specific application that is not connected to the bank s network or internet.) Threat is defined as a potential to exercise a specific vulnerability. Vulnerability is defined as a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the bank s security policy.

When NPPI (non-public personal information) or PII (personally identifiable information) is present within an application or processed or transmitted by or through a system or data transport, it carries a higher inherent risk rating due to the nature of the data and the fact that it becomes a target for hackers. In these types of applications and systems, controls should typically be stronger, more complex and multi-layered. An outsourced application or system is typically lower risk than the same application that is managed inhouse because the vendor that provides the outsourced service or product typically has a larger number of staff with more specialized skillsets to operate/monitor the service and the controls required to protect it. Ratings for Threat Level The risk of attack to this system is very. Factors affecting this rating could be limited access to the system in question, minor value of stored data or due to technical obscurity which limits the number of potential attackers with an understanding of the system. Vulnerabilities are not trivial and require an expert level of technology and exploit practices to compromise. Moderate The risk of attack to this system is Moderate. Factors affecting this rating could be remote accessibility of the system over the organization s internal network and uses well known technology for which there are readily available attack tools. Knowledge of the system is widespread and as a result there is a large pool of potential attackers. The vulnerabilities are not trivial however and will require a deeper knowledge of technology and exploit practices to compromise. The risk of attack to this system is extremely. Factors affecting the rating could be that the system is publicly accessible from the Internet or other public networks and uses well known technology for which there are readily available attack tools. Security controls are extremely weak and can the vulnerabilities can definitely be compromised by an attacker with limited skill or knowledge. Ratings for Impact Level These ratings are based on the business impact to the organization resulting from a breach in security. This breach could allow unauthorized access to information on the system. A security breach, or act of nature, could damage or destroy the system so that it cannot perform its intended functions. A security breach on this system would cause minimal impact to the organization or its customers. It would affect a small number of persons or would impact a non-essential business process.

Moderate A security breach on this system would cause moderate impact to the organization or its customers. It would affect a moderate number of persons or would impact an essential business process. A security breach on this system would cause significant impact to the organization or its customers. It would affect a large number of persons or would impact a critical business process. Criticality This defines the overall criticality of the system to the bank s operations. A system may be categorized at a, Medium or a level based on its importance to the bank. This takes into account if NPPI resides or processed through the system and how critical a system is to the bank s normal day-to-day business. A loss or interruption of services has minimal or no effect on the operations of the bank Moderate A loss or interruption of services for an extended period of time limits the functions or services that the bank can provide to its employees and/or members and might cause financial loss. A loss of the system or interruption of services for an extended period of time is mission critical and may require a business continuity plan to be activated Controls Risk Security controls inhibit the attempts to violate security policy and provide protection against system compromises. These controls encompass the use of technical and non-technical methods including identification and authentication mechanisms, security policies, operational procedures, audit facilities and encryption methods. Further, controls can be Preventative or Detective in nature. The risks facing the bank due to the effectiveness (or ineffectiveness) of the control framework is defined as Controls Risk The defined control framework is appropriate for the bank in light of the Threat Index and the overall risk to the bank is sufficiently controlled. Further, the defined controls are in existence and working properly. Moderate There is evidence of control practices that appear to mitigate some of the technology risks. Factors affecting the rating could be the fact that some controls are effective, while other controls are not or are missing.

The defined control framework is ineffective in light of the Threat Index on a particular system. There is little or no evidence of control practices. The control framework does not provide the requisite protection against the identified threats and vulnerabilities. This defines the overall Vulnerability of the bank s systems and applications to Threats after assessing the controls. A system may be categorized at a, Moderate or a level based upon the profile of the system including whether NPPI resides on or is processed through the system, whether that system is outsourced, the threat to the system (is it internet-facing), how critical a system is to the bank s normal day-to-day business and the impact of a breach or interruption in service. : controls meet Best Practices or exceed minimum requirements based upon the combination of Existence of NPPI, whether it s outsourced, the Threat level, Criticality and Impact to the bank and its members Moderate: controls meet minimum requirements based upon the combination of Existence of NPPI, Threat level, Criticality and Impact to the bank and its members : controls are lacking or highly insufficient based upon the combination of Existence of NPPI, Threat level, Criticality and Impact to the bank and its members Example: Conducting a risk assessment on a web-based payroll system would produce the result in the table. Assume that the application is internet-facing, outsourced, NPPI is transmitted to and stored at the service provider. Criticality is MODERATE since the pay cycle is twice monthly and the bank can write physical checks for the employees or pay via ACH if the vendor s system is unavailable. Controls that are in place include the following: Only 2 staff members from the bank s HR dept have access to the application. It requires multifactor authentication. It requires a token. Password is complex & strong requiring 10 characters, 1 Uppercase, 1 Numeric and 1 Special character. Data is transmitted via a secure VPN. Application Name Webbased Payroll Outsourced NPPI Threat Index Criticality Impact Controls Risk Y Y H M H L L

Here s the same scenario with a different set of controls: Conducting a risk assessment on a web-based payroll system would produce the result in the table. Assume that the application is internet-facing, outsourced, NPPI is transmitted to and stored at the service provider. Criticality is MODERATE since the pay cycle is twice monthly and the bank can write physical checks for the employees or pay via ACH if the vendor s system is unavailable. Controls that are in place include the following: Only 2 staff members from the bank s HR dept have access to the application. Password is strong, requiring 8 characters including 1 Uppercase & 1 numeric. Data is transmitted via a spreadsheet attached to encrypted email The is listed as MODERATE but could possibly be considered HIGH Application Name Webbased Payroll Outsourced NPPI Threat Index Criticality Impact Controls Risk Y Y H M H M M

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information